Module 5 - Risk Management Flashcards
Risk Management
Risk management identifies risks and vulnerabilities that pose a threat and applies administrative actions and comprehensive solutions to make sure the organisation is adequately protected.
Risk
Risk is the probability of loss due to a threat — a malicious act or unexpected event — that damages information systems or organisational assets.
Risk Impact
Risk impact is the damage incurred by an event which causes loss of asset(s) or disruption of service(s). The goal of risk management is to reduce these threats to an acceptable level and to implement controls to maintain that level.
High risk
Negligence means that no actions or controls are taken to lower risk. The threat is very high, and the cost of an incident could be catastrophic.
Lower Risk
Exercising due care can help lower the level of risk. The risk still exists but these reasonable steps lower a potential loss.
Acceptable Risk
Exercising due diligence involves taking reasonable steps to eliminate risk. Some risks still exist, but multiple controls are implemented to prevent potential loss.
Risk Management options
- Avoidance (Elimination)
- Mitigation (Reduction)
- Transfer
- Accept
Negligence
Negligence is a legal concept that refers to the failure to exercise reasonable care or the failure to take appropriate precautions, resulting in harm or damage to others. It can occur when an individual or entity, such as an organisation, does not meet the standard of care expected in a given situation, leading to potential legal liability.
Due Care
Due care refers to the degree of care and attention that a reasonable and prudent person or organisation would exercise in similar circumstances to prevent harm or minimize risk.
Due Diligence
Due diligence is a more extensive and comprehensive investigation or research process undertaken to gather all relevant information and facts before making a decision or taking action.
Assets
Assets are anything of value that is used in and is necessary for the completion of a business task. Assets include both tangible and intangible items such as equipment, software code, data, facilities, personnel, market value and public opinion. Risk management is all about protecting valued organisational assets.
Threats
Threats are a malicious act or unexpected event that damages information systems or other related organisational assets. They can be intentional actions that result in the loss or damage to an asset. Threats can also be unintentional like an accident, natural disaster, or equipment failure.
Vulnerability
Vulnerabilities are any flaw or weakness that would allow a threat to cause harm and damage an asset. Examples could be fault code, misconfigurations, and failure to follow procedures.
Impact
Risk impact is the damage incurred by an event which causes loss of an asset or disruption of service. This damage can be measured quantitatively or qualitatively based on the impact to the organisation’s operations.
Countermeasures
Countermeasures are an action, device, or technique that reduces a threat or a vulnerability by eliminating or preventing it. An example would be antivirus software, firewalls, policies, and training.
Risk Assessment
Risk assessment is the process of identifying vulnerabilities and threats and assessing the possible impacts to determine where to implement security controls.
What are the stages of the Risk Management Process?
- Frame the Risk
- Assess the Risk
- Respond to the Risk
- Monitor the Risk
Frame the Risk
Identify the threats throughout the organization that increase risk. Threats identified include loss or damage of processes and products, attacks, potential failure or disruption of services, harm to the organization’s reputation, legal liability, and loss of intellectual property.
Respond to the Risk
Develop an action plan to reduce overall organization risk exposure. Management ranks and prioritizes threats; a team then determines how to respond to each threat. Risk can be eliminated, mitigated, transferred, or accepted.
Assess the Risk
Once a risk has been identified, it is assessed and analyzed to determine the severity that the threat poses. Some threats can bring the entire organization to a standstill while other threats are merely minor inconveniences. Risk can be prioritized by actual financial impact (quantitative analysis) or a scaled impact on the organization’s operation (qualitative analysis).
Monitor the Risk
Continuously review risk reductions due to elimination, mitigation and transfer actions.
Not all risks can be eliminated, so threats that are accepted need to be closely monitored. An organisation can use a risk register — a software program or cloud service — to record information about identified risks. The risk register contains details about the risk and the controls implemented or response strategies used.